how to roll you own vpn with aws cloudformation - part one
Share on facebook
Share on twitter
Share on linkedin

How to Roll Your Own VPN with AWS CloudFormation – Part One

ACG Technical Editors Team
ACG Technical Editors Team

In this three-part series, we will walk through provisioning an OpenVPN endpoint on AWS using CloudFormation to automate the deployment. Our use case will be to configure OpenVPN as a personal internet proxy – with modification, other possibilities include bastion host, VPC peering, and home network extension.

A quick note before we begin – the resources we create in this tutorial may incur charges on your account if you’re not eligible for the free tier of AWS service. In this first guide, the resources will be minimal and only cost a few cents. However, if you’re following along, be sure to delete your stack when you’re finished. Otherwise, you may be charged.

What is CloudFormation?

CloudFormation is an Amazon Web Service that allows you to write code that describes your infrastructure. This is an important service for large organizations or some smaller ones that rely on automation. With CloudFormation, you don’t need to create and configure your infrastructure through the AWS Web Console, which can take hours even if you know exactly what to do. Instead, you can describe the system using YAML (or JSON), upload it to CloudFormation, and within minutes have the infrastructure necessary to run your services. That’s what we’ll be doing in the next few sections.

The Tools We’ll Need

You can use the tools of your choice to edit CloudFormation templates. This is what I use:

  • Atom text editor
  • Atom plugin – YAML linter
    • Features integrated YAML linting with support for the AWS CloudFormation tag expansions.

All you really need is a text editor. If you have one that you’re comfortable with already, it should do the job.

What We’ll Create With CloudFormation

In the first section, we will walk through the creation of the base AWS environment for our OpenVPN endpoint using CloudFormation. This will be a simple VPC having a single subnet with a route to the internet and could be used as a basis for other projects. Let’s take a look at what the base template looks like. This template contains the AWS resources we need to provision for our AWS VPN server, but none of the OpenVPN configuration (we’ll cover that in the next section).To get started, copy our base template and paste it into your text editor.Get the base template here.

What’s in Our CloudFormation Template

If you’re not familiar with CloudFormation templates, they can be a bit overwhelming. Although each piece is meant to have a descriptive, clear name, there’s a lot of information to digest. Let’s break this template down into its components so we know exactly what we’ll be creating.


  • OpenVPNPort – The UDP port number to accept with our Security Group
  • SSHKeyName – This is the Key Pair Name string you want to be associated with the EC2 instance. You can use an existing key pair, or create a new one in the EC2 Web Console. If you’re creating a new key pair, you’ll need to do so before it can be used in your template.
  • ClientIPCIDR – Clients IP range which will be allowed by the Security Group


  • RegionMap – The AMI ID differs per Region, despite the AMIs being copies of the same source image. We will be using a static mapping of AMI IDs that are keyed by region. When the template runs we will use the mapped value matching the AWS region which the template is being run within.
    • It is also possible to dynamically query AWS for an AMI ID using Lambda and return the value to the CloudFormation stack via a custom resource. For our use case, this doesn’t bring any value and would add considerable complexity, so we will be using the static map.


  • myVPC – Our VPC where most of our resources will be provisioned.
    • It contains a CidrBlock property, which sets the addressing. We only need 1 IP address for our OpenVPN server, I just like even numbers and 8-bit subnets.
  • MyPublicSubnet – The only subnet we will create within our VPC. Our OpenVPN server will be provisioned within. This subnet will be assigned a default route out to the internet, hence the name.
    • This also contains a CidrBlock property that specifies an 8-bit subnet, which provides 256 addresses (251 of which are usable).
  • myInternetGateway – We will need our VPC to have access to the internet.
  • myRouteTablePublic – The VPC route table we’ll use.
  • AttachInternetGateway – Attaches the Internet Gateway to myVPC.
  • RouteDefaultPublic – Adds a default route to our VPCs internet gateway. Any packets with a destination IP not falling within the VPC range will be sent to the internet gateway via this route.
  • MyPublicSubnetRouteTableAssociation – Associates our route table to our subnet.
  • myEIP – Requests a new Elastic IP Address.
  • AssociateManagementAccessPort – Binds our Elastic IP Address to an Elastic Network Interface.
  • OpenVPNInstanceSG – Creates a security group for the ENI that will be attached to our OpenVPN server.
    • This also provides OpenVPN and SSH port access
  • myEC2InstanceRole – This is the IAM role which will be associated with our EC2 instance.
  • myAccessPolicy – This is the IAM policy that will be attached to our EC2 instance role. The policy grants full access to the S3 bucket created by this stack.
  • ec2InstanceProfile – Binding profile for our myEC2InstanceRole to the actual EC2 instance.
  • myNetworkInterface – The Elastic Network Interface that will be attached to our EC2 instance. Our Security Group, OpenVPNInstanceSG is also associated with this interface.
  • myS3Bucket – This is the S3 bucket where our client profile and secrets will be stored.
  • EC2OpenVPNInstance – The EC2 instance that will host OpenVPN. To determine the AMI image to use, the Intrinsic function !FindInMap gets the value of the key matching the AWS::Region pseudo parameter (returns the region the template is being run within). myNetworkInterface and ec2InstanceProfile are associated with the instance. The SSH key ID specified in the parameter SSHKeyName is associated with the instance as well.

Using Our CloudFormation Template

So we’ve got our CloudFormation template in a text editor. Now what? CloudFormation templates need to be uploaded to AWS and run to create a stack, a collection of resources and their configurations. In this section, we’ll do that and then test to make sure that everything is working as expected.

Run the CloudFormation Template

Log in to the AWS Console and select CloudFormation from the list of services. Click Create Stack. Choose Upload a template to Amazon S3. Then, browse to select the local file on your computer and click Next. Use the default values for ClientIPCIDR and OpenVPNPort. Next, select an SSH key pair from the dropdown to associate with the EC2 instance. Click Next and then Create.

SSH into the EC2 Instance

Wait for the stack build to complete (this could take a few minutes). Copy the output values for myS3BucketOut and myEIPOut in the CloudFormation Outputs tab at the bottom of the page. SSH into the instance, replacing the IP address and yourKeyName with your own values:ssh -i "yourKeyName.pem" ec2-user@ the command to SSH into the instance. Be sure you run it in the same directory that you have the matching key, or provide a full absolute or relative path to your key file.NOTE: If you’re using a newly created key for this EC2 instance, you may receive a “Permission Denied” message the first time you try to use it. You can avoid this by changing your key permissions:sudo chmod 400 yourKeyName.pem

Test S3 Access from EC2

Next, we’ll make sure that our EC2 instance has the proper permissions to create objects in our S3 bucket. Create a new file:echo "testamundo" > test.txtUpload the file to S3, replacing the bucket name with your bucket name (found in the CloudFormation Outputs tab):aws s3 cp testamundo.txt s3://test3-mys3bucket-1num7ykizegrgList the contents of the S3 bucket, replacing the bucket name with your bucket name:aws s3 ls s3://test3-mys3bucket-1num7ykizegrg

Test Internet Access from EC2

Finally, we want to make sure our networking is properly configured so that our EC2 instance has a route to and from the Internet. Use the following command to do so:sudo yum update -y


That’s all for now! We’ve reached the end of part one. So far, we have created a template that sets up a new VPC with a single subnet, with a default route out to the internet. We connected to our EC2 instance to confirm that it has access to the Internet and to our created S3 bucket.

In part two, we’ll extend the CloudFormation template to create a functional OpenVPN server that we can use to keep connections secure, for example, on public WiFi networks.

Additional Reading

If you’re completely new to CloudFormation, we may have used some unfamiliar terms and language in our syntax. You can read more in the following links.

Resource Type Reference

You can find detail on all of the resource type definitions used within our template here.

Intrinsic Functions

Intrinsic functions let us access parameters that aren’t normally available until runtime. Here are links to more information about the ones we used in our base template:!GetAtt!Ref!FindInMap

Pseudo Parameters

We use pseudo parameters with the Ref function. These are predefined by CloudFormation and used to refer to certain parts of the stack currently being created. You can find more information here.


Get more insights, news, and assorted awesomeness around all things cloud learning.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?